CVE-2022-39311
Published: 14 October 2022
Summary
CVE-2022-39311 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Thoughtworks Gocd. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
GoCD versions prior to 21.1.0 contain a remote code execution vulnerability in the server component that stems from exposure of a Spring RemoteInvocation endpoint used for agent communication. The endpoint permitted deserialization of arbitrary Java objects, directly enabling code execution on the server. The affected software is the open-source GoCD continuous delivery server, and the issue is tracked under CWE-502.
An attacker who obtains agent-level authentication can exploit the flaw by sending a malicious serialized object. Practical attack paths include compromising an existing build agent, intercepting its network traffic, or successfully registering a new malicious agent with the server. Successful exploitation grants the attacker full remote code execution with the privileges of the GoCD server process.
The official GoCD security advisory and release notes state that the vulnerability is resolved in version 21.1.0. The fix is implemented in commit 7b88b70d6f7f429562d5cab49a80ea856e34cdc8, and the project reports no known workarounds for earlier releases. The EPSS score has remained flat at 0.0947 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-41799
Vulnerability details
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised…
more
agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.